1 use crate::check::check_message;
2 use crate::error::TLSError;
3 #[cfg(feature = "logging")]
4 use crate::log::{debug, trace};
5 use crate::msgs::base::Payload;
6 use crate::msgs::ccs::ChangeCipherSpecPayload;
7 use crate::msgs::codec::Codec;
8 use crate::msgs::enums::AlertDescription;
9 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
10 use crate::msgs::handshake::HandshakeMessagePayload;
11 use crate::msgs::handshake::HandshakePayload;
12 use crate::msgs::handshake::NewSessionTicketPayload;
13 use crate::msgs::message::{Message, MessagePayload};
14 use crate::msgs::persist;
15 use crate::server::ServerSessionImpl;
16 use crate::session::SessionSecrets;
17 use crate::verify;
18
19 use crate::server::common::{ClientCertDetails, HandshakeDetails, ServerKXDetails};
20 use crate::server::hs;
21
22 use ring::constant_time;
23
24 // --- Process client's Certificate for client auth ---
25 pub struct ExpectCertificate {
26 pub handshake: HandshakeDetails,
27 pub server_kx: ServerKXDetails,
28 pub send_ticket: bool,
29 }
30
31 impl ExpectCertificate {
into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState32 fn into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState {
33 Box::new(ExpectClientKX {
34 handshake: self.handshake,
35 server_kx: self.server_kx,
36 client_cert: cert,
37 send_ticket: self.send_ticket,
38 })
39 }
40 }
41
42 impl hs::State for ExpectCertificate {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError43 fn handle(
44 mut self: Box<Self>,
45 sess: &mut ServerSessionImpl,
46 m: Message,
47 ) -> hs::NextStateOrError {
48 let cert_chain =
49 require_handshake_msg!(m, HandshakeType::Certificate, HandshakePayload::Certificate)?;
50 self.handshake
51 .transcript
52 .add_message(&m);
53
54 // If we can't determine if the auth is mandatory, abort
55 let mandatory = sess
56 .config
57 .verifier
58 .client_auth_mandatory(sess.get_sni())
59 .ok_or_else(|| {
60 debug!("could not determine if client auth is mandatory based on SNI");
61 sess.common
62 .send_fatal_alert(AlertDescription::AccessDenied);
63 TLSError::General("client rejected by client_auth_mandatory".into())
64 })?;
65
66 if cert_chain.is_empty() {
67 if !mandatory {
68 debug!("client auth requested but no certificate supplied");
69 self.handshake
70 .transcript
71 .abandon_client_auth();
72 return Ok(self.into_expect_tls12_client_kx(None));
73 }
74 sess.common
75 .send_fatal_alert(AlertDescription::CertificateRequired);
76 return Err(TLSError::NoCertificatesPresented);
77 }
78
79 trace!("certs {:?}", cert_chain);
80
81 sess.config
82 .verifier
83 .verify_client_cert(cert_chain, sess.get_sni())
84 .or_else(|err| {
85 hs::incompatible(sess, "certificate invalid");
86 Err(err)
87 })?;
88
89 let cert = ClientCertDetails::new(cert_chain.clone());
90 Ok(self.into_expect_tls12_client_kx(Some(cert)))
91 }
92 }
93
94 // --- Process client's KeyExchange ---
95 pub struct ExpectClientKX {
96 pub handshake: HandshakeDetails,
97 pub server_kx: ServerKXDetails,
98 pub client_cert: Option<ClientCertDetails>,
99 pub send_ticket: bool,
100 }
101
102 impl ExpectClientKX {
into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState103 fn into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState {
104 Box::new(ExpectCertificateVerify {
105 secrets,
106 handshake: self.handshake,
107 client_cert: self.client_cert.unwrap(),
108 send_ticket: self.send_ticket,
109 })
110 }
111
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState112 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState {
113 Box::new(ExpectCCS {
114 secrets,
115 handshake: self.handshake,
116 resuming: false,
117 send_ticket: self.send_ticket,
118 })
119 }
120 }
121
122 impl hs::State for ExpectClientKX {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError123 fn handle(
124 mut self: Box<Self>,
125 sess: &mut ServerSessionImpl,
126 m: Message,
127 ) -> hs::NextStateOrError {
128 let client_kx = require_handshake_msg!(
129 m,
130 HandshakeType::ClientKeyExchange,
131 HandshakePayload::ClientKeyExchange
132 )?;
133 self.handshake
134 .transcript
135 .add_message(&m);
136
137 // Complete key agreement, and set up encryption with the
138 // resulting premaster secret.
139 let kx = self.server_kx.take_kx();
140 if !kx.check_client_params(&client_kx.0) {
141 sess.common
142 .send_fatal_alert(AlertDescription::DecodeError);
143 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
144 }
145
146 let kxd = kx
147 .server_complete(&client_kx.0)
148 .ok_or_else(|| {
149 TLSError::PeerMisbehavedError("key exchange completion failed".to_string())
150 })?;
151
152 let hashalg = sess
153 .common
154 .get_suite_assert()
155 .get_hash();
156 let secrets = if self.handshake.using_ems {
157 let handshake_hash = self
158 .handshake
159 .transcript
160 .get_current_hash();
161 SessionSecrets::new_ems(
162 &self.handshake.randoms,
163 &handshake_hash,
164 hashalg,
165 &kxd.shared_secret,
166 )
167 } else {
168 SessionSecrets::new(&self.handshake.randoms, hashalg, &kxd.shared_secret)
169 };
170 sess.config.key_log.log(
171 "CLIENT_RANDOM",
172 &secrets.randoms.client,
173 &secrets.master_secret,
174 );
175 sess.common
176 .start_encryption_tls12(&secrets);
177
178 if self.client_cert.is_some() {
179 Ok(self.into_expect_tls12_certificate_verify(secrets))
180 } else {
181 Ok(self.into_expect_tls12_ccs(secrets))
182 }
183 }
184 }
185
186 // --- Process client's certificate proof ---
187 pub struct ExpectCertificateVerify {
188 secrets: SessionSecrets,
189 handshake: HandshakeDetails,
190 client_cert: ClientCertDetails,
191 send_ticket: bool,
192 }
193
194 impl ExpectCertificateVerify {
into_expect_tls12_ccs(self) -> hs::NextState195 fn into_expect_tls12_ccs(self) -> hs::NextState {
196 Box::new(ExpectCCS {
197 secrets: self.secrets,
198 handshake: self.handshake,
199 resuming: false,
200 send_ticket: self.send_ticket,
201 })
202 }
203 }
204
205 impl hs::State for ExpectCertificateVerify {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError206 fn handle(
207 mut self: Box<Self>,
208 sess: &mut ServerSessionImpl,
209 m: Message,
210 ) -> hs::NextStateOrError {
211 let rc = {
212 let sig = require_handshake_msg!(
213 m,
214 HandshakeType::CertificateVerify,
215 HandshakePayload::CertificateVerify
216 )?;
217 let handshake_msgs = self
218 .handshake
219 .transcript
220 .take_handshake_buf();
221 let certs = &self.client_cert.cert_chain;
222
223 sess.config
224 .get_verifier()
225 .verify_tls12_signature(&handshake_msgs, &certs[0], sig)
226 };
227
228 if let Err(e) = rc {
229 sess.common
230 .send_fatal_alert(AlertDescription::AccessDenied);
231 return Err(e);
232 }
233
234 trace!("client CertificateVerify OK");
235 sess.client_cert_chain = Some(self.client_cert.take_chain());
236
237 self.handshake
238 .transcript
239 .add_message(&m);
240 Ok(self.into_expect_tls12_ccs())
241 }
242 }
243
244 // --- Process client's ChangeCipherSpec ---
245 pub struct ExpectCCS {
246 pub secrets: SessionSecrets,
247 pub handshake: HandshakeDetails,
248 pub resuming: bool,
249 pub send_ticket: bool,
250 }
251
252 impl ExpectCCS {
into_expect_tls12_finished(self) -> hs::NextState253 fn into_expect_tls12_finished(self) -> hs::NextState {
254 Box::new(ExpectFinished {
255 secrets: self.secrets,
256 handshake: self.handshake,
257 resuming: self.resuming,
258 send_ticket: self.send_ticket,
259 })
260 }
261 }
262
263 impl hs::State for ExpectCCS {
handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError264 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
265 check_message(&m, &[ContentType::ChangeCipherSpec], &[])?;
266
267 // CCS should not be received interleaved with fragmented handshake-level
268 // message.
269 hs::check_aligned_handshake(sess)?;
270
271 sess.common
272 .record_layer
273 .start_decrypting();
274 Ok(self.into_expect_tls12_finished())
275 }
276 }
277
278 // --- Process client's Finished ---
get_server_session_value_tls12( secrets: &SessionSecrets, handshake: &HandshakeDetails, sess: &ServerSessionImpl, ) -> persist::ServerSessionValue279 fn get_server_session_value_tls12(
280 secrets: &SessionSecrets,
281 handshake: &HandshakeDetails,
282 sess: &ServerSessionImpl,
283 ) -> persist::ServerSessionValue {
284 let scs = sess.common.get_suite_assert();
285 let version = ProtocolVersion::TLSv1_2;
286 let secret = secrets.get_master_secret();
287
288 let mut v = persist::ServerSessionValue::new(
289 sess.get_sni(),
290 version,
291 scs.suite,
292 secret,
293 &sess.client_cert_chain,
294 sess.alpn_protocol.clone(),
295 sess.resumption_data.clone(),
296 );
297
298 if handshake.using_ems {
299 v.set_extended_ms_used();
300 }
301
302 v
303 }
304
emit_ticket( secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, )305 pub fn emit_ticket(
306 secrets: &SessionSecrets,
307 handshake: &mut HandshakeDetails,
308 sess: &mut ServerSessionImpl,
309 ) {
310 // If we can't produce a ticket for some reason, we can't
311 // report an error. Send an empty one.
312 let plain = get_server_session_value_tls12(secrets, handshake, sess).get_encoding();
313 let ticket = sess
314 .config
315 .ticketer
316 .encrypt(&plain)
317 .unwrap_or_else(Vec::new);
318 let ticket_lifetime = sess.config.ticketer.get_lifetime();
319
320 let m = Message {
321 typ: ContentType::Handshake,
322 version: ProtocolVersion::TLSv1_2,
323 payload: MessagePayload::Handshake(HandshakeMessagePayload {
324 typ: HandshakeType::NewSessionTicket,
325 payload: HandshakePayload::NewSessionTicket(NewSessionTicketPayload::new(
326 ticket_lifetime,
327 ticket,
328 )),
329 }),
330 };
331
332 handshake.transcript.add_message(&m);
333 sess.common.send_msg(m, false);
334 }
335
emit_ccs(sess: &mut ServerSessionImpl)336 pub fn emit_ccs(sess: &mut ServerSessionImpl) {
337 let m = Message {
338 typ: ContentType::ChangeCipherSpec,
339 version: ProtocolVersion::TLSv1_2,
340 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
341 };
342
343 sess.common.send_msg(m, false);
344 }
345
emit_finished( secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, )346 pub fn emit_finished(
347 secrets: &SessionSecrets,
348 handshake: &mut HandshakeDetails,
349 sess: &mut ServerSessionImpl,
350 ) {
351 let vh = handshake.transcript.get_current_hash();
352 let verify_data = secrets.server_verify_data(&vh);
353 let verify_data_payload = Payload::new(verify_data);
354
355 let f = Message {
356 typ: ContentType::Handshake,
357 version: ProtocolVersion::TLSv1_2,
358 payload: MessagePayload::Handshake(HandshakeMessagePayload {
359 typ: HandshakeType::Finished,
360 payload: HandshakePayload::Finished(verify_data_payload),
361 }),
362 };
363
364 handshake.transcript.add_message(&f);
365 sess.common.send_msg(f, true);
366 }
367
368 pub struct ExpectFinished {
369 secrets: SessionSecrets,
370 handshake: HandshakeDetails,
371 resuming: bool,
372 send_ticket: bool,
373 }
374
375 impl ExpectFinished {
into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState376 fn into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
377 Box::new(ExpectTraffic {
378 secrets: self.secrets,
379 _fin_verified: fin,
380 })
381 }
382 }
383
384 impl hs::State for ExpectFinished {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError385 fn handle(
386 mut self: Box<Self>,
387 sess: &mut ServerSessionImpl,
388 m: Message,
389 ) -> hs::NextStateOrError {
390 let finished =
391 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
392
393 hs::check_aligned_handshake(sess)?;
394
395 let vh = self
396 .handshake
397 .transcript
398 .get_current_hash();
399 let expect_verify_data = self.secrets.client_verify_data(&vh);
400
401 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
402 .map_err(|_| {
403 sess.common
404 .send_fatal_alert(AlertDescription::DecryptError);
405 TLSError::DecryptError
406 })
407 .map(|_| verify::FinishedMessageVerified::assertion())?;
408
409 // Save session, perhaps
410 if !self.resuming && !self.handshake.session_id.is_empty() {
411 let value = get_server_session_value_tls12(&self.secrets, &self.handshake, sess);
412
413 let worked = sess.config.session_storage.put(
414 self.handshake.session_id.get_encoding(),
415 value.get_encoding(),
416 );
417 if worked {
418 debug!("Session saved");
419 } else {
420 debug!("Session not saved");
421 }
422 }
423
424 // Send our CCS and Finished.
425 self.handshake
426 .transcript
427 .add_message(&m);
428 if !self.resuming {
429 if self.send_ticket {
430 emit_ticket(&self.secrets, &mut self.handshake, sess);
431 }
432 emit_ccs(sess);
433 sess.common
434 .record_layer
435 .start_encrypting();
436 emit_finished(&self.secrets, &mut self.handshake, sess);
437 }
438
439 sess.common.start_traffic();
440 Ok(self.into_expect_tls12_traffic(fin))
441 }
442 }
443
444 // --- Process traffic ---
445 pub struct ExpectTraffic {
446 secrets: SessionSecrets,
447 _fin_verified: verify::FinishedMessageVerified,
448 }
449
450 impl ExpectTraffic {}
451
452 impl hs::State for ExpectTraffic {
handle( self: Box<Self>, sess: &mut ServerSessionImpl, mut m: Message, ) -> hs::NextStateOrError453 fn handle(
454 self: Box<Self>,
455 sess: &mut ServerSessionImpl,
456 mut m: Message,
457 ) -> hs::NextStateOrError {
458 check_message(&m, &[ContentType::ApplicationData], &[])?;
459 sess.common
460 .take_received_plaintext(m.take_opaque_payload().unwrap());
461 Ok(self)
462 }
463
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>464 fn export_keying_material(
465 &self,
466 output: &mut [u8],
467 label: &[u8],
468 context: Option<&[u8]>,
469 ) -> Result<(), TLSError> {
470 self.secrets
471 .export_keying_material(output, label, context);
472 Ok(())
473 }
474 }
475